Open captaintrips760 opened 8 years ago
Does your server SSL certificate have both the client and server bits set?
openssl x509 -in yourcertificate.crt -text -noout
X509v3 Extended Key Usage: TLS Web Client Authentication, TLS Web Server Authentication
Hi thanks for the response. It does not appear so. I just used the prosodyctl command to generate a self-signed certificate. Is there a command I can use to insert this into the existing key or should I create a new key? I am not very familiar with using OpenSSL if anyone could provide an example for creating a key with this extension or whatever you would call it , would be greatly appreciated! Tia.
Ah that might be it, we check that the certificate is valid so self-signed won't work as well. You can get a free cert from StartSSL (easy) or Lets Encrypt (harder to setup)
Well, once I installed the correct certificate so it was verifiable, it started to work as expected! Thank you.
Hi, I have similar problem.
1474894474 c2s2b06180 debug Attempting to enable push notifications 1474894474 c2s2b06180 info Push notifications enabled
...
1474892229 s2sin2b3d8d0 debug Received[s2sin]:
Sert signed by WoSign: https://xmpp.net/result.php?domain=im.bozza.ru&type=client
Test: Pidgin on Win 7 ChatSecure v.3.2.3 (reinstalled, agree on pushes) on iPhone.
Two-three min of screen lock on iPhone and there are no pushes.
What shoud I check to enable push? May be I miss some settings in cloud_notify (as I see, I shouldn't edit this module before anable)?
Same here. My server receives IQ result responses from pubsub.chatsecure.org
for all push notifications, but only some of them actually lead to ChatSecure attempting to reconnect.
I wand to checkout unneded points:
Could you explain me, please!
Add: as I know, regular scheme is: So, you want to escape apple (apns)? Yes?
May be there is another way: use apns to sent only notice, that something can be sent? No data sent to apns. What is security risks?
Or you know some service with api, wich can just send push notice to iPhone with "Ok, lets check your ChatSecure now!". This is not security hole? Do you know such services not for programmers? I can understand easy script, but I'm not a professional in it.
No content is sent via push message, it just tells the app to wake up in the background.
Pushes are not 100% reliable because we rely on background fetch, which is throttled by the OS in low battery situations or when background fetch is turned off.
Ok, this is great! How to implement it? IM without push novadays - impossible, absolutely. What steps should I do in order to understand why added pushes (yea!) are not delivered - via 3/4G mobile network, office wifi, vpn... I have Prosody with mod_cloud_notify. Install right after read anonce about push in ChatSecure. Prepare separate domain and SSL cert from WoSign. With IM+ - push working. ChatSecure - no. I underline that IM+ without OTR, plain text pushed goes to /dev/null. I'm not trottling or compare. I just want to solve the task (as for me - only real problem).
If all above is not close to origin issue, ok - I'll stop discuss it here. Just let me know, please.
IM+ doesn't do push with XEP-0357. They store your user credentials on their server and run a thin client man-in-the-middle and forward the responses to the app.
Hello everyone, I'm just joining this discussion as I have a problem that seems similar. I have been trying to get push notifications for iOS working but without luck. I am running Prosody 0.9.10. I have mod_smacks, mod_smacks_offline, mod_cloud_notify enabled. Everything seems to be fine but if it comes to actually sending push notifications I got an error message. It seems that my Prosody doesn't get a connection with chatsecure. See the log:
Sep 27 21:36:43 s2sout1e63b10 info Beginning new connection attempt to pubsub.chatsecure.org ([107.170.218.87]:5269) Sep 27 21:36:45 domain.com:saslauth info SASL EXTERNAL with pubsub.chatsecure.org failed Sep 27 21:36:45 s2sout1e63b10 info sent dialback key on outgoing s2s stream Sep 27 21:36:45 s2sout1e63b10 info outgoing s2s stream domain.com->pubsub.chatsecure.org closed: stream closed Sep 27 21:36:45 s2sout1e63b10 info Sending error replies for 5 queued stanzas because of failed outgoing connection to pubsub.chatsecure.org Sep 27 21:36:47 domain.com:saslauth info Accepting SASL EXTERNAL identity from pubsub.chatsecure.org Sep 27 21:36:47 s2sin1d20940 info incoming s2s connection pubsub.chatsecure.org->domain.com complete
I have a StartSSL certificate with TLS Web Client Authentication and TLS Web Server Authentication. I don't know what to do with it and any help is much appreciated.
@mlmss Is your TLS certificate valid for everything in your SRV records?
I have the same Prosody setup on my personal XMPP server, as well as a StartSSL cert valid for both example.com
and xmpp.example.com
, and it works without issue.
Perhaps there is the problem. I have a valid certificate for both but as I have my server running at home with changing ip addresses I have a redirection in place.
@chrisballinger, yes, and that's why only chatsecure :) @mlmss, your problem in ip address or this time you don't know?
Unfortunately I'm not an expert in SRV Records but I've set it on my domain hoster's admin page according to example 2 here: http://wiki.xmpp.org/web/SRV_Records However, the server is redirected. I've no idea what else I could do about it. Everything else works fine it is just the push notification on iOS that's not working properly.
Thank you for link to SRV records. I've never seen it later. But as I see, iOS devices still without push...
After much testing things are getting a bit weird now. I still have the outgoing connection issue but nevertheless if sending a message from my android tablet (using ZOM) to my iPhone the push notification seems possible. At first I get a message "xy wants to chat" and a second later the message appears on the iPhone lockscreen.
I just tried sending messages from an iPhone 6 to an iPhone 5s and there push notifications are delivered too, however just in one direction: 6 > 5s not the other way round.
On the 5s there are two other strange things: first it stops OTR very often and in the settings there are no options for granting access to Photos and Camera (it's there on the iPhone 6 and both have iOS 10).
Any ideas? Thanks.
@mlmss "Knock" pushes from CS<->Zom use a slightly different mechanism and bypass the XMPP / pubsub server altogether. Perhaps there are issues with our pubsub server.
If camera permissions have been denied in the past, you'll have to go to the Settings app -> Privacy and enable it for ChatSecure. Regardless you should still see the camera button when you're in an OTR session.
@chrisballinger: thanks for your help. I've done some additional testing and at least the camera issue is solved now. I've also switched to ZOM for all devices (2x iphone and 1 android tablet) however push for iOS is not reliable whereas from android to iOS it seems working all the time.
I've still the SASL EXTERNAL issue and after reading and testing a lot I've no idea anymore. I've even set up a seperate server on an A record domain without much luck.
Here is the log perhaps it helps:
Oct 05 22:52:35 s2sout1645860 info Beginning new connection attempt to pubsub.chatsecure.org ([107.170.218.87]:5269) Oct 05 22:52:35 s2sout179f9e0 info Out of connection options, can't connect to pubsub-test.chatsecure.org Oct 05 22:52:35 s2sout179f9e0 info Sending error replies for 6 queued stanzas because of failed outgoing connection to pubsub-test.chatsecure.org Oct 05 22:52:35 s2sout1369100 info Out of connection options, can't connect to pubsub-test.chatsecure.org Oct 05 22:52:35 s2sout1369100 info Sending error replies for 6 queued stanzas because of failed outgoing connection to pubsub-test.chatsecure.org Oct 05 22:52:36 xmpp.example.com:saslauth info SASL EXTERNAL with pubsub.chatsecure.org failed Oct 05 22:52:36 s2sout1645860 info sent dialback key on outgoing s2s stream Oct 05 22:52:36 s2sout1645860 info outgoing s2s stream xmpp.example.com->pubsub.chatsecure.org closed: stream closed Oct 05 22:52:36 s2sout1645860 info Sending error replies for 4 queued stanzas because of failed outgoing connection to pubsub.chatsecure.org
What is new is that there is now a pubsub and a pubsub-test server.
It shouldn't be using pubsub-test.chatsecure.org
, only pubsub.chatsecure.org
. Zom's push server is misconfigured: http://push.zom.im/api/v1/pubsub/
Zom only uses "knock" style pushes. If you want to send a knock on iOS, do not write message text, just press the knock button (in the place of the send button) when the other contact is offline.
Thanks a lot for your help. After some additional testing I found the reason for the SASL external error: the intermediate certificate was not part of the certificate file.
Because of the pubsub-test issue I switched completely to Chatsecure apps (on iOS and Android) but the server still tries to connect to pubsub-test. The message is 'Out of connection options, can't connect to pubsub-test.chatsecure.org'. I don't know where that comes from.
The bigger problem, however, is that it is almost impossible to chat because of loads of OTR errors. It doesn't matter whether the chat is between two iOS devices or one iPhone and an android tablet.
Here an extract from the log file:
Oct 10 18:52:22 c2s2474bb0 debug Q item 7:
Thanks for any hint.
@mlmss Ah that explains the SASL error. The problem is that your server now has two (or more) XEP-0357 records for your pubsub options, but we don't currently have a way to disable old registrations on our end, within the UI. http://xmpp.org/extensions/xep-0357.html#disabling
As far as the OTR errors, do you have message carbons or MAM turned on?
edit: made issue #572
@chrisballinger: can I do anything about the old records?
I had carbons and MAM enabled before but disabled yesterday already without success.
Here is the list of all modules enabled: "roster"; "saslauth"; "tls"; "dialback"; "disco"; "posix"; "private"; "vcard"; "version"; "uptime"; "time"; "ping"; "pep"; "register"; "cloud_notify"; "bosh"; "http_files"; "http"; "http_upload"; "csi"; "smacks"; "smacks_offline"; "pinger";
Is there anything that could cause problems with Chatsecure on iOS?
@mlmss We don't have a way to remove the records yet, but Prosody doesn't persist them across reboots, so you could try that.
I think there may be problems with the pubsub itself server right now, which I'll try to debug today.
modules_enabled = {
-- Generally required
"roster"; -- Allow users to have a roster. Recommended ;)
"saslauth"; -- Authentication for clients and servers. Recommended if you want to log in.
"tls"; -- Add support for secure TLS on c2s/s2s connections
"dialback"; -- s2s dialback support
"disco"; -- Service discovery
-- Not essential, but recommended
"private"; -- Private XML storage (for room bookmarks, etc.)
"vcard"; -- Allow users to set vCards
-- These are commented by default as they have a performance impact
--"privacy"; -- Support privacy lists
--"compression"; -- Stream compression
-- Nice to have
"version"; -- Replies to server version requests
"uptime"; -- Report how long server has been running
"time"; -- Let others know the time here on this server
"ping"; -- Replies to XMPP pings with pongs
"pep"; -- Enables users to publish their mood, activity, playing music and more
"pubsub";
"cloud_notify";
"pinger";
"smacks";
"smacks_offline";
"mam";
"csi";
"carbons";
--"register"; -- Allow users to register on this server using a client and change passwords
-- Admin interfaces
--"admin_adhoc"; -- Allows administration via an XMPP client that supports ad-hoc commands
--"admin_telnet"; -- Opens telnet console interface on localhost port 5582
-- HTTP modules
--"bosh"; -- Enable BOSH clients, aka "Jabber over HTTP"
--"http_files"; -- Serve static files from a directory over HTTP
-- Other specific functionality
"posix"; -- POSIX functionality, sends server to background, enables syslog, etc.
--"groups"; -- Shared roster support
--"announce"; -- Send announcement to all online users
--"welcome"; -- Welcome users who register accounts
--"watchregistrations"; -- Alert admins of registrations
--"motd"; -- Send a message to users when they log in
--"legacyauth"; -- Legacy authentication. Only used by some old clients and bots.
};
@mlmss Here's the config for my personal server which works w/ 0357 (just tested a minute ago). I did restart the pubsub server before I tested, so there is a chance it got stuck or something. I noticed that my Prosody server was having trouble doing DNS lookups and ended up disabling ipv6 system wide because some people think there's a Prosody bug related to DNS resolution related to ipv6.
Oct 11 16:50:17 adns debug Sending DNS query to 192.168.1.1
Oct 11 16:50:17 adns debug Reply for pubsub.chatsecure.org. (thread: 0x1f21800)
Oct 11 16:50:17 mod_s2s debug DNS lookup failed to get a response for pubsub.chatsecure.org.
Oct 11 16:50:17 s2sout1f1ded8 info Out of connection options, can't connect to pubsub.chatsecure.org
Oct 11 16:50:17 mod_s2s debug No other records to try for pubsub.chatsecure.org - destroying
@chrisballinger: Thanks for your help. I've compared your list of modules with mine and enabled pubsub in addition but I'm unsure about mam and carbons. Better on or off? And do I have to configure anything for the modules (i.e. smacks)?
I've also disabled ipv6 and rebooted the server. At the moment no OTR Errors but I will test it further.
After a day of testing, I can say that there are still OTR errors, fewer but still. However, there is a new behaviour: the Chatsecure iOS app loses its connection quite often. Although it received 10 sec ago a message it is not connected when I try to send a reply. I get a warning and have to push the connect button.
You'll get OTR errors if the app leaves memory because the session is destroyed. Hopefully we'll finish the OMEMO stuff soon so you can test that.
I've noticed the disconnection/reconnection issue myself and will try to track it down. It might be a regression from attempting to improve it.
After days of exensive testing I cannot see a link between memory and OTR errors. Loads of them appear even in the middle of a chat so I would not expect that the session is destroyed.
@mlmss Strange. Both sides are ChatSecure iOS?
Btw the OMEMO branch is working very well. Hopefully put out a beta in a few weeks :)
@chrisballinger: yes, only Chatsecure iOS. and it "forgets" the encryption. after switching it on again, the OTR errors occur. it says "You transmitted an unreadable encrypted message."
Here is the log of a couple of seconds were three OTR errors occured: Oct 18 20:04:34 c2sd6fe60 info Client connected Oct 18 20:04:34 c2sd6fe60 info Authenticated as one@example.com Oct 18 20:04:35 c2sd6fe60 info Push notifications enabled Oct 18 20:04:35 s2sout126b280 info Out of connection options, can't connect to pubsub-test.chatsecure.org Oct 18 20:04:35 s2sout126b280 info Sending error replies for 1 queued stanzas because of failed outgoing connection to pubsub-test.chatsecure.org Oct 18 20:04:40 s2soutff56b0 info Out of connection options, can't connect to pubsub-test.chatsecure.org Oct 18 20:04:40 s2soutff56b0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to pubsub-test.chatsecure.org Oct 18 20:04:44 c2sd3d390 info Client connected Oct 18 20:04:45 c2sd3d390 info Authenticated as two@example.com Oct 18 20:04:47 c2sd3d390 info Push notifications enabled Oct 18 20:05:05 c2sd3d390 info Client disconnected: closed Oct 18 20:05:05 s2soutecbbc0 info Out of connection options, can't connect to pubsub-test.chatsecure.org Oct 18 20:05:05 s2soutecbbc0 info Sending error replies for 1 queued stanzas because of failed outgoing connection to pubsub-test.chatsecure.org Oct 18 20:05:07 c2sf358a0 info Client connected Oct 18 20:05:08 c2sf358a0 info Authenticated as two@example.com Oct 18 20:05:08 c2sd3d390 info c2s stream for two@example.com/chatsecure86192 closed: Replaced by new connection Oct 18 20:05:08 c2sd3d390 warn Destroying session with 1 unacked stanzas Oct 18 20:05:10 c2sf358a0 info Push notifications enabled Oct 18 20:05:11 c2sf358a0 warn The client says it handled 3 new stanzas, but we only sent 2 :) Oct 18 20:05:29 c2sf358a0 info Client disconnected: closed Oct 18 20:05:47 c2sf443e0 info Client connected Oct 18 20:05:48 c2sf443e0 info Authenticated as two@example.com Oct 18 20:05:48 c2sf358a0 info c2s stream for two@example.com/chatsecure86192 closed: Replaced by new connection Oct 18 20:05:49 c2sf443e0 warn The client says it handled 8 new stanzas, but we only sent 6 :) Oct 18 20:05:49 c2sf443e0 info Push notifications enabled
For some reason it tries to connect to pubsub-test.chatsecure.org. I also don't know what the stanzas issue means.
@mlmss The pubsub-test thing is because you installed Zom at one point, and there's currently no way to clear out the old pubsub registrations.
The OTR errors are unfortunate and am not exactly sure of the cause. Our resources are focused on finishing the OMEMO implementation, so we won't have much time to improve the current OTR behavior until that is complete. Would you be interested in beta testing the OMEMO version when it's ready?
@chrisballinger But do the pubsub registrations damage anything? Of course I would be interesting but I'm still not sure that my prosody is configured properly.
Hi,
just started an EtherCalc Pad to collect information about your and others experience about push. Feel free to add your data or additional columns (suggest only to add columns where the information can be given from a normal user)
https://ethercalc.org/29iyo1nunqdp
Cheers
Hello everyone. I have been trying to get push notifications to ios working without much luck. I am running Prosody 0.9.10. I have mod_smacks, mod_smacks_offline, mod_cloud_notify enabled. At first I had s2s disabled, then once I enabled that I started at least seeing data in the cloud_notify directory, and some more relevant messages in the log files. This is the relevant log section. Connections to pubsub.chatsecure.org seem to be failing for whatever reason... ? I hope someone can shed some light on this... our chat server works great with android mobile clients, but IOS is frustrating. The user in question does receive the messages, but it requires manually going into chatsecure to bring it online, thanks for any ideas...
Sep 01 16:07:20 c2s270c70 debug Handled 12 incoming stanzas Sep 01 16:07:20 c2s270c70 debug Received[c2s]:
Sep 01 16:07:20 domain.com:cloud_notify debug Sending push notification for user@domain.com to pubsub.chatsecure.org
Sep 01 16:07:20 stanzarouter debug Routing to remote...
Sep 01 16:07:20 mod_s2s debug opening a new outgoing connection for this stanza
Sep 01 16:07:20 mod_s2s debug stanza [iq] queued until connection complete
Sep 01 16:07:20 mod_s2s debug First attempt to connect to pubsub.chatsecure.org, starting with SRV lookup...
Sep 01 16:07:20 adns debug Records for _xmpp-server._tcp.pubsub.chatsecure.org. not in cache, sending query (thread: 0x3343c8)...
Sep 01 16:07:20 adns debug Sending DNS query to 68.105.28.11
Sep 01 16:07:20 socket debug server.lua: closed client handler and removed socket from list
Sep 01 16:07:20 adns debug Reply for _xmpp-server._tcp.pubsub.chatsecure.org. (thread: 0x3343c8)
Sep 01 16:07:20 mod_s2s debug pubsub.chatsecure.org has SRV records, handling...
Sep 01 16:07:20 mod_s2s debug Best record found, will connect to pubsub.chatsecure.org.:5269
Sep 01 16:07:20 adns debug Records for pubsub.chatsecure.org. not in cache, sending query (thread: 0x21bf28)...
Sep 01 16:07:20 adns debug Sending DNS query to 68.105.28.11
Sep 01 16:07:20 adns debug Records for pubsub.chatsecure.org. not in cache, sending query (thread: 0x31b5b8)...
Sep 01 16:07:20 adns debug Sending DNS query to 68.105.28.11
Sep 01 16:07:20 adns debug Reply for pubsub.chatsecure.org. (thread: 0x21bf28)
Sep 01 16:07:20 mod_s2s debug DNS reply for pubsub.chatsecure.org. gives us 107.170.218.87
Sep 01 16:07:20 socket debug server.lua: closed client handler and removed socket from list
Sep 01 16:07:20 adns debug Reply for pubsub.chatsecure.org. (thread: 0x31b5b8)
Sep 01 16:07:20 s2sout1b7428 info Beginning new connection attempt to pubsub.chatsecure.org ([107.170.218.87]:5269)
Sep 01 16:07:20 s2sout1b7428 debug Connection attempt in progress...
Sep 01 16:07:20 s2sout1b7428 debug sending: <?xml version='1.0'?>
Sep 01 16:07:20 s2sout1b7428 debug sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
from='domain.com' to='pubsub.chatsecure.org' xml:lang='en' xmlns='jabber:server'>
Sep 01 16:07:20 s2sout1b7428 debug Received[s2sout_unauthed]:
Sep 01 16:07:20 domain.com:tls debug Received features element
Sep 01 16:07:20 domain.com:tls debug pubsub.chatsecure.org is offering TLS, taking up the offer...
Sep 01 16:07:20 s2sout1b7428 debug sending:
Sep 01 16:07:20 s2sout1b7428 debug Received[s2sout_unauthed]:
Sep 01 16:07:20 domain.com:tls debug Proceeding with TLS on s2sout...
Sep 01 16:07:20 socket debug server.lua: attempting to start tls on tcp{client}: 0x19d0d0
Sep 01 16:07:20 socket debug server.lua: ssl handshake done
Sep 01 16:07:20 s2sout1b7428 debug Sending stream header...
Sep 01 16:07:20 s2sout1b7428 debug sending: <?xml version='1.0'?>
Sep 01 16:07:20 s2sout1b7428 debug sending: <stream:stream xmlns:db='jabber:server:dialback' xmlns:stream='http://etherx.jabber.org/streams' version='1.0'
from='domain.com' to='pubsub.chatsecure.org' xml:lang='en' xmlns='jabber:server'>
Sep 01 16:07:20 s2sout1b7428 debug certificate chain validation result: valid
Sep 01 16:07:20 x509 debug Cert dNSName pubsub.chatsecure.org matched hostname
Sep 01 16:07:20 s2sout1b7428 debug certificate identity validation result: valid
Sep 01 16:07:20 s2sout1b7428 debug Received[s2sout_unauthed]:
Sep 01 16:07:20 domain.com:tls debug Received features element
Sep 01 16:07:20 domain.com:saslauth debug Initiating SASL EXTERNAL with pubsub.chatsecure.org
Sep 01 16:07:20 s2sout1b7428 debug sending:
Sep 01 16:07:20 s2sout1b7428 debug Received[s2sout_unauthed]:
Sep 01 16:07:20 domain.com:saslauth info SASL EXTERNAL with pubsub.chatsecure.org failed
Sep 01 16:07:20 domain.com:dialback debug SASL EXTERNAL failed, falling back to dialback
Sep 01 16:07:20 s2sout1b7428 debug sending:
Sep 01 16:07:20 s2sout1b7428 info sent dialback key on outgoing s2s stream
Sep 01 16:07:20 s2sout1b7428 debug Received /stream:stream
Sep 01 16:07:20 s2sout1b7428 debug sending: /stream:stream
Sep 01 16:07:20 s2sout1b7428 info outgoing s2s stream domain.com->pubsub.chatsecure.org closed: stream closed
Sep 01 16:07:20 s2sout1b7428 debug Desusering outgoing session domain.com->pubsub.chatsecure.org
Sep 01 16:07:20 s2sout1b7428 info Sending error replies for 1 queued stanzas because of failed outgoing connection to pubsub.chatsecure.org
Sep 01 16:07:20 stanzarouter debug Received[s2sin]:
Sep 01 16:07:20 stanzarouter debug Discarding iq from s2sin of type: error
Sep 01 16:07:20 s2sout1b7428 debug s2s disconnected: nil->nil (connection closed)
Sep 01 16:07:20 socket debug server.lua: closed client handler and removed socket from list